The Elite Hackers Toolkit

home *** CD-ROM | disk | FTP | other *** search

/ The Elite Hackers Toolkit / TheEliteHackersToolkitVolume1_1998.rar / HACKERS.BIN / appcraks / UCFPE113.ZIP / STNPEE.ASM < prev next >

Wrap

Assembly Source File | 1998-01-18 | 25KB | 865 lines

Comment % Stone's PE-ExeEncrypter v1.13 This program is dedicated to the person that thought me the concept of happiness and the those few who makes the meaningness of life seem unimportant to me! Contacting: I can be emailed at: stone@one.se Credits: This could not have been made without the efforts of: Random/UCF, you are the PeKing.. Acp/UCF, Who is my mentor in Windows assembly coding Patriarch/PWA, My landlord and friend! Thanks for it all! Rose, My betatester (blame him for any bugs :) nahhh) Marquis De Soiree/UCF, for the support and betatesting DjHD/UCF, thanks for telling it didn't run under NT :) Stefan Esser, you greet me - I greet you :) United Cracking Force & Xtremist INC, my "sponsors" and benefactors Numbers.inc is written by Patriarch/PWA, modified by Acp/UCF to fit the windows console and finally custumized by me. Console.inc is written by Acp/UCF All bugs and errors are of my doing (those that doesn't belong to microsoft for inventing this weird format) the above people only contributed in making this better Usage: stnplee.exe <PEFILE> % subvalue EQU 1 ; 0 = encryption off, anything else=on (debug variable) version EQU "v1.13" ; First release candidate with DLL support .386P ; 386 Priveledged mode... Locals jumps .Model Flat ,StdCall ;Define the needed external functions and constants here. Extrn ExitProcess : PROC Extrn CreateFileA : PROC Extrn SetFilePointer : PROC Extrn MessageBeep : PROC Extrn CloseHandle : PROC Extrn ReadFile : PROC Extrn WriteFile : PROC Extrn GetCommandLineA : PROC Extrn GetLastError : PROC .Data Title1 db "Stone's PeExeEncrypter",0 ; Tittle of Program FileAttr dd 0 ; Standard File Attributes = none FileHandle dd 0 ; Store the FileHandle Here BytesRead dd 0 ; We read this many bytes ObjTblOff dd 0 ; Object table located here (displacement from PEheader) PeHeaderOff dd 0 ; File offset of PEHEADER CurrentRVA dd 0 ; Current RVA while encrypting ITRVA dd 0 ; RVA of IT ITENDRVA dd 0 ; END of IT ObjectDone db 0 ; Are we finished with this object? ;────────────────────Decryption routine Object Table ───────────────────────── ObjectForm: ; the new object (size / total) oname db ".Stone",0,0 ; Name of the object (8 / 8) VirtualSize dd 0 ; Virtual Size of object (4 / 12) RVA dd 0 ; Relative Virtual Adress of obj (4 /16) PhysicalSize dd 0 ; Physical Size (4 / 20) PhysicalOffset dd 0 ; (4 / 24) Reserved dd 0,0,0 ; (12 / 36) objectflags db 40h,0,0,0c0h ; Initialized data object, (4 / 40) ; nada, nada ; ; 80 = W, 40 =R, 20 = E (I think - see PE.TXT for more INFO) ;─────────────────────────────The PE-HEader─────────────────────────────────── PePrimSize EQU 88 ; Bytes in PEHeader /wo ObjTbl n'stuff PEHeader: ; essential part of the pe header signature dd 0 ;+0 cputype dw 0 ;+4 NumObj dw 0 ;+6 db 3*4 dup (0) ;+8 crap NtHeaderSize dw 0 ;+20=1eh Flags dw 0 ;+22 db 4*4 dup (0) ;+24 crap entrypointRVA dd 0 ;+40 - entry point relative to IB db 2*4 dup (0) ;+44 Crap ImageBase dd 0 ;+52 - every RVA is relative to this ObjAlign dd 0 ;+56 FileAlign dd 0 ;+60 db 4*4 dup (0) ;+64 Crap ImageSize dd 0 ;+80 HeaderSize dd 0 ;+84 vend: ;+88 = 58h RestOfHead db 3000 dup (0) ; Rest of the header (plenty space) ;──────────────Encryption data──────────────────────────────────────────────── EncryptBuffer db 16 dup(0) ; Buffer CurrentPos dd 0 ; Current Position in PE-EXE CurrDisp dd 0 ; Displacement of Objectdata in Appedix OutOff dd 0 ; offset of something to go out ;───────────────────────Messages ───────────────────────────────────────────── MsgIntro db "-[X]- Stone's PE-EXE Encrypter ",version," -[X]-",13,10 DB "──────────────| STONE |──────────────",10,13 DB " ▄▄▄ ▄▄▄ ▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄ ",10,13 DB " ███ ███ ███ ███▄▄▄ ",10,13 DB " ███▄ ███ ███▄ ███ ",10,13 DB " ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀ ",10,13 DB "─────────────────────────────────────────",10,13 DB "u N I T E D c R Æ C K I N G f O R C E ",10,13 DB "[wIN95/NT]─────────────────────[Jan 1998]",10,13 db "Legend: [i] = INFO, [X] = Status, [!] = Error",10,13 LenIntro EQU $-MsgIntro MsgNoCmdLine db " [i] Usage: StnPee.exe <INPUT FILE>",10,13 LenNoCmdLine EQU $-MsgNoCmdLine MsgOpenErr db " [!] An error has occured opening the file error code: " LenOpenErr EQU $ - MsgOpenErr MsgOpenOk db " [X] File Opened Successfully",10,13 LenOpenOk EQU $ - MsgOpenOk MsgPEOk db " [X] Header Loaded Successfully ",10,13 LenPEOk EQU $-MsgPEOk MsgNotPE db " [!] This Appears not to be a Valid PE file! :(",10,13 LenNotPE EQU $-MsgNotPE MsgErrRead db " [!] An error has occured reading the file, error code: " LenErrRead EQU $-MsgErrRead MsgAppendSize db " [i] Appending Bytes : " LenAppendSize EQU $-MsgAppendSize MsgPeHOff db " [i] Offset of PeHeader is : " LenPeHOff EQU $-MsgPeHOff MsgNumObj db " [i] Original Number of objects : " LenNumObj EQU $-MsgNumObj MsgObjAlg db " [i] Object Alignment : " LenObjAlg EQU $-MsgObjAlg MsgHSize db " [i] HeaderSize : " LenHSize EQU $-MsgHSize MsgImageSize db " [i] ImageSize : " LenImageSize EQU $-MsgImageSize MsgEPRVA db " [i] Original EntryPoint RVA : " LenEPRVA EQU $-MsgEPRVA MsgIB db " [i] ImageBase : " LenIB EQU $-MsgIB MsgH db "h",10,13 LenH EQU $-MsgH MsgH2 db "h " LenH2 EQU $-MsgH2 MsgSpace db " " LenSpace EQU $-MsgSpace MsgObjLine db "Objectname VirSize RVA PhysSize PhysPos Flags Encrypted" LenObjLine EQU $-MsgObjLine MsgLfCf db 10,13 LenLfCf EQU $-MsgLfCf MsgYup db "Yup!" LenYup EQU $-MsgYup MsgOhfuck db 10,13," [i] It appears that this file was linked with an old linker - this means that it is liable to chrash your computer when running it!",10,13 ; Debug-bug message! :) LenOhfuck EQU $-MsgOhfuck MsgNoObjSpace db " [!] Sorry - No space in the Object table! - aborting",10,13 LenNoObjSpace EQU $-MsgNoObjSpace ;────────────────────────────────────────────────────────────────────────────── .Code Include Console.inc Include Numbers.inc Main: CALL Init_Console ; Init Console for output Write_Console <offset MsgIntro> <LenIntro> ; Write intro text call GetCommandLineA ; get commandline mov edi,eax ; => EDI -> Commandline mov ecx, -1 mov al,0 push edi CLD repnz scasb pop edi not ecx ; => ECX = length of commandline mov al,20h repnz scasb ; the the space before the parameter repz scasb ; remove superflousious spaces test ecx,ecx ; test if anything at all was written jz NoCommandLine dec edi cmp byte ptr [edi], '/' ; Did the user try /H or something? jz NoCommandLine CALL OpenRW ; Open Read Write CMP EAX, -1 JNZ NoOpenErr Call GetLastError Write_Console <offset MsgOpenErr> <LenOpenErr> call Hex2Dec Write_Console <offset MsgH> <LenH> JMP Exit_Proc NoOpenErr: MOV FileHandle, EAX Write_Console <offset MsgOpenOk> <LenOpenOk> PUSH 0 PUSH 0 PUSH 3ch ; Set File Pointer to 3ch ; Dos relocation table ; on this place PEfiles store ; the offset of the PEHeader! PUSH DWord ptr [FileHandle] CALL SetFilePointer ;------- Read Offset of PE-header PUSH 0 ; Something PUSH offset BytesRead ; Bytes read PUSH 4 ; Bytes to read PUSH offset PeHeaderOff ; Read to here PUSH DWord ptr [FileHandle] ; From here CALL ReadFile CMP EAX,-1 JZ Error_Read ;-------- Set file pointer to PE header PUSH 0 ; Method 0 (From begining of file) PUSH 0 PUSH DWord ptr [PeHeaderOff] ; To this offset PUSH DWord ptr [FileHandle] ; on this file CALL SetFilePointer ;-------- read PE-header (preliminary) PUSH 0 PUSH offset BytesRead ; This many bytes read PUSH PePrimSize ; read this many bytes (88=size of ; "main" PEheader) PUSH offset PEHeader ; To here PUSH DWord ptr [FileHandle] ; from this file CALL ReadFile ;------ Check PE-header signature CMP DWord ptr [PEHeader], 00004550h ; 0,0,E,P (PE Signature) JNZ Not_PE ; If not terminate /W errormsg Write_Console <Offset MsgPEOk> <LenPEOk> ;------ Read the rest of the PE header PUSH 0 ; 0 PUSH offset BytesRead ; bytes read MOV EAX, HeaderSize ; To read SUB EAX, PePrimSize ; except what we already read SUB EAX, [PeHeaderOff] PUSH EAX ; on stack PUSH offset RestOfHead ; To rest of the header PUSH DWord ptr [FileHandle] ; From CALL ReadFile ; Read IT! :) CMP EAX, -1 JZ Error_Read ;------ Write Stuff CALL WriteInfo ; Write some stuff! ;------ Locate Object table movzx EAX, word ptr [NtHeaderSize] ; EAX=0,0,NtHeaderSize ADD EAX, 24 ; Flags=+24 MOV [ObjTblOff], EAX ; (DISPLACEMENT FROM PEHeader) ;----- Is there space in the object table for another object? pushad movzx eax, [NumObj] ; Number of objects inc eax ; + the on we'll add mov ecx, 40d mul ecx ; times 40 (size of a object record) add eax, [ObjTblOff] ; add displacement from PeHeader add eax, [PeHeaderOff] ; Add the PEHeader's File offset cmp eax, [HeaderSize] ; compare it to the headers's size popad jg NoObjSpace ;------ Encrypt objects!! CALL Encrypt ; encrypt everything :) MOV ESI, [ImageBase] CMP ESI, 10000h ; Issue old linker warning! JNZ NotOldPe ; should I keep this mesg? Write_Console <Offset MsgOhfuck> <LenOhfuck> NotOldPe: ;----- Locate Last object in Object table LEA ESI, [PEHeader] ; OFfset PEheader ADD ESI,EAX ; Adjust ESI=real Offset(ObjTable) movzx EAX, [NumObj] ; Ax= Number of objects MOV ECX, 40 ; 40d bytes each (see ObjectForm) XOR EDX,EDX ; EDX=0 (cLEAn division) MUL ECX ; => EAX= Number of bytes ; In objecttable ADD ESI, EAX ; => ESI= offset of unADDed ;------ ADD another object! INC word ptr [NumObj] ; That's the number of them :) LEA EDI,[ObjectForm] XCHG EDI,ESI ; ESI = NewObject (form) ; EDI = NewObject (in table) ;------ Calculate new Object's RVA MOV EAX,[EDI-40+8] ; Previous object VirtualSize ADD EAX,[EDI-5*8+12] ; Previous object's RVA MOV ECX, DWord ptr [ObjAlign] ; Alignment XOR EDX,EDX ; CLEAr EDX for 32 bit DIVision DIV ECX ; How many Aligned "pages" did TEST EDX,EDX ; Was the previous page aligned? JZ PrevAligned INC EAX ; it use - ADD another "page" PrevAligned: MUL ECX ; back to bytes MOV DWord ptr [RVA],EAX ; (This smells.. ) MOV [AppVirOff], EAX ;------ Calculate New objects Phys Size MOV ECX, DWord ptr [FileAlign] ; File "page" size MOV EAX, AppendEnd-AppendStart ; Size of appention code MOV DWord ptr [PhysicalSize],EAX ;------ Calculate the Virtual Size of the new object MOV ECX,DWord ptr [ObjAlign] MOV EAX,AppendEnd - AppendStart ; Size of Appendix XOR EDX,EDX DIV ECX INC EAX MUL ECX MOV DWord ptr [VirtualSize],EAX ;------ calculate the physical offset of the new object MOV EAX, [EDI-40+20] ; Previous Phys size ADD EAX,[EDI-40+16] ; Previous phys offset MOV ECX,DWord ptr [FileAlign] ; File "pages" XOR EDX,EDX DIV ECX INC EAX ; No need for test edx,edx MUL ECX ; since prev. obj must be aligned! MOV DWord ptr [PhysicalOffset],EAX ;------ update the image size (the size in memory) of the file mov eax, [VirtualSize] add [ImageSize],eax ;------ Copy it the new object!!!! CLD ; Forward copy MOV ECX, 40 ; 40 bytes = size of objects REP MOVSB ; copy ;------ Calculate the new entrypoint RVA MOV EAX,DWord ptr [RVA] ; RVA of new Object (our code) MOV EBX,DWord ptr [entrypointRVA] ; Save old RVA entry MOV DWord ptr [entrypointRVA],EAX ; Put in new one in PE header! ;----- Set the value needed to return to the host MOV [AppEntryRVA], EBX ; store EntryRVA in Appendix MOV BytesRead, 0 ;----- Set FilePoint to PEheader! PUSH 0 PUSH 0 PUSH DWord ptr [PeHeaderOff] PUSH DWord ptr [FileHandle] CALL SetFilePointer ;----- Write the pe header and object table to the file PUSH 0 PUSH offset BytesRead MOV EAX, [HeaderSize] SUB EAX, [PeHeaderOff] PUSH EAX PUSH offset PEHeader PUSH DWord ptr [FileHandle] CALL WriteFile ;----- MOVe FilePointer to the physical offset of the new object ;----- I'm not too happy about this moving the file pointer beyound the ; EOF instead of actually zeropadding the last object before adding our ; own... theoretically you should zero pad!!!! PUSH 0 PUSH 0 PUSH DWord ptr [PhysicalOffset] PUSH DWord ptr [FileHandle] CALL SetFilePointer ;----- append decryption code MOV BytesRead,0 PUSH 0 PUSH offset BytesRead ; This many bytes appended MOV EAX, AppendEnd-AppendStart ; This many bytes dESIred to be appended PUSH EAX PUSH offset AppendStart PUSH DWord ptr [FileHandle] CALL WriteFile terminate: CALL CloseFile ; Close the damn file Exit_Proc: ; Exit Process PUSH LARGE-1 CALL ExitProcess Not_PE: Write_Console <Offset MsgNotPE> <LenNotPE> JMP terminate Error_Read: Call GetLastError Write_Console <Offset MsgErrRead> <LenErrRead> Call Hex2Dec Write_Console <Offset MsgH> <LenH> JMP terminate NoObjSpace: Write_Console <offset MsgNoObjSpace> <LenNoObjSpace> jmp terminate NoCommandLine: Write_Console <offset MsgNoCmdLine> <LenNoCmdLine> JMP terminate Encrypt PROC PUSHAD movzx ECX, [NumObj] ; ECX = Number of objects! ; For when we encrypt all objects Write_Console <offset MsgObjLine> <LenObjLine> MOV ESI, offset PEHeader ;----- Preserve Import INFO stored out of .idata section MOV EAX, dword ptr [ESI+128] ; RVA MOV [ITRVA], EAX MOV [ITENDRVA], EAX ; IT RVA (import table) MOV EAX, [ESI+132] ADD [ITENDRVA], EAX ; Size of IT! (import table) MOV EAX, dword ptr [esi+0d8h] ; RVA of IAT MOV [AppIAT], EAX add eax, dword ptr [esi+0d8h+4] ; Size of IAT mov [AppEndIAT],EAX mov dword ptr [esi+0d0h],0 ; gestapo method :) mov dword ptr [esi+0d4h],0 ; eradicate information on which DLL's TO load ; NT will instead use the IT ;----- go on with encryption MOV EAX, [ObjTblOff] ADD ESI,EAX ; ESI= First object item table XOR EDI, EDI nextobject: call Enc_Object add esi, 40 ; => next object in objtable loopd nextobject POPAD RET Encrypt ENDP Enc_Object PROC ; Encrypts an object ; ESI should => Objtable ; of object pushad Write_Console <offset MsgLfCf> <LenLfCf> call ObjectInfo ; Lame screen output mov [ObjectDone],0 cmp dword ptr [ESI], 'adr.' ; stay out of .rdata jz noencrypt ; .rdata contains all kinda ; fucked up debug info'n'stuff cmp dWord ptr [ESI], 'ler.' ; Stay out of relocations jz noencrypt ;******* Unencrypted relocations is not a problem given: ; add [byte in image] + encryption [byte in image] ; = encryption [byte in image] + add [byte in image] ; and that encryption [byte in image] | encryption [byte-1 in image] ; = encryption [byte in image] - that encryption is independant of previous ; bytes.. this basically means you can't use ROL/ROR or XOR in your encryption ; scheme unless you specifically deal with relocation or sacrifice general ; compatability (while this at first glance seems to be a major problem ; in regards to getting a strong polymorphic encryption that is not the case!!!) ; Also relocations is only used *IF* win95 cannot map the same virtual address ; as the PE file was linked under. (almost never) Encrypting Relocations can be handled ; and will be shit annoying to unpack! cmp DWord ptr [ESI], 'adi.' ; Stay out of Import data jz noencrypt ; .idata *usually* :( contains the IAT which means trouble if we encrypt it. ; lemme think this "issue" over a couple of days! cmp dword ptr [ESI], 'ade.' ; Stay out of export data jz noencrypt ; can I safely encrypt it? cmp dword ptr [ESI], 'rsr.' ; Stay out of resource code jz noencrypt ; cmp dword ptr [ESI], 'oci.' ; Don't wanna encrypt the icon ;) jz noencrypt cmp dword ptr [esi+16], 0 ; If size of object=0 then jz noencrypt ; do not encrypt (e.g. .bss) Write_Console <offset MsgYup> <LenYup> MOV EDI, dword ptr [ESI+12] MOV [CurrentRVA], EDI MOV bl, byte ptr [ESI+39] ; Force Write Axx. to obj. OR bl, 80h ; if we don't we get a page MOV byte ptr [ESI+39],bl ; fault OR a protection fault! MOV EDI, [CurrDisp] MOV EAX, [ESI+12] MOV [AppObjectRVA+EDI], EAX MOV EAX, [ESI+16] ; EAX= phys size of Obj! MOV [AppObjectSize+EDI], EAX Add [CurrDisp], 8 ; Update Current Displacement of RVA INC Byte ptr [AppNumObj] ; Update XOR EDX,EDX MOV EDI,16 ; 10h DIV EDI MOV EDI,EAX ; EDI = number of 10h byte blocks MOV EAX, [ESI+20] ; Current Position to EAX MOV [CurrentPos], EAX ;----- MOVe FilePointer to the physical offset of the new object PUSH 0 ; Method 0 - from start of file PUSH 0 PUSH DWORd ptr [ESI+20] PUSH DWORd ptr [FileHandle] CALL SetFilePointer NextBlock: PUSH 0 ; 0 PUSH offset BytesRead ; bytes read MOV EAX, 16 PUSH EAX PUSH offset EncryptBuffer ; To EncryptBuffer PUSH DWORd ptr [FileHandle] ; From our file CALL ReadFile ; Read IT! :) MOV ECX,16 MOV EBX, offset EncryptBuffer encryptloop: mov dl, [ObjectDone] ; Have we encountered the IT cmp dl, 1 ; in this object? jz IT ; if so - don't encrypt any more mov EDX, [CurrentRVA] ; are we in the IT? CMP edx, [ITENDRVA] jg NotIT cmp EDX, [ITRVA] jl NotIT MOV EDX, [CurrDisp] ; Yes - this is the IT sub edx, 8 push eax MOV eax, [CurrentRVA] sub eax, [ESI+12] dec eax MOV [AppObjectSize+EDX], EAX ; Decrypt this many bytes instead POP EAX mov [ObjectDone],1 jmp IT NotIT: ADD byte ptr [EBX],subvalue ; simple encryption scheme IT: INC EBX INC dword ptr [CurrentRVA] LOOPD encryptloop PUSH 0h PUSH 0h PUSH DWORd ptr [CurrentPos] PUSH DWORd ptr [FileHandle] CALL SetFilePointer MOV [BytesRead],0 PUSH 0 PUSH offset BytesRead ; Bytes Read MOV EAX, 16 PUSH EAX ; number of bytes PUSH offset EncryptBuffer ; EncryptBuffer PUSH DWORd ptr [FileHandle] ; to filehandle CALL WriteFile ADD [CurrentPos],16 DEC EDI JNZ NextBlock noencrypt: popad ret Enc_Object ENDP OpenRW PROC PUSH 0 PUSH offset FileAttr ; FILE_ATTRIBUTE_NORMAL PUSH 3 ; OPEN_EXISTING PUSH 0 PUSH 0 PUSH 80000000h + 40000000h ; GENERIC_READ + GENERIC_WRITE PUSH edi ;offset FileName CALL CreateFileA ; open file in read/write mode RET OpenRW ENDP CloseFile PROC PUSH DWord Ptr [FileHandle] CALL CloseHandle RET CloseFile EndP WriteInfo PROC ; Just lame screen output PUSHAD Write_Console <offset MsgPeHOff> <LenPeHOff> MOV EAX, [PeHeaderOff] CALL Hex2Dec Write_Console <offset MsgH> <LenH> Write_Console <Offset MsgHSize> <LenHSize> MOV EAX, [HeaderSize] Call Hex2Dec Write_Console <offset MsgH> <LenH> Write_Console <Offset MsgImageSize> <LenImageSize> MOV EAX, [ImageSize] Call Hex2Dec Write_Console <offset MsgH> <LenH> Write_Console <offset MsgNumObj> <LenNumObj> MOVZX EAX, [NumObj] CALL Hex2Dec Write_Console <offset MsgH> <LenH> Write_Console <offset MsgObjAlg> <LenObjAlg> MOV EAX, [ObjAlign] call Hex2Dec Write_Console <offset MsgH> <LenH> Write_Console <offset MsgIB> <LenIB> MOV EAX, [ImageBase] CALL Hex2Dec Write_Console <offset MsgH> <LenH> Write_Console <offset MsgEPRVA> <LenEPRVA> MOV EAX, [entrypointRVA] CALL Hex2Dec Write_Console <offset MsgH> <LenH> Write_Console <offset MsgAppendSize> <LenAppendSize> MOV EAX, AppendEnd-AppendStart call Hex2Dec Write_Console <offset MsgH> <LenH> POPAD RET WriteInfo ENDP ObjectInfo PROC ; Write Info on objecttable at PUSHAD ; ESI mov ecx, 8 ; Object Name call Dump2Screen Write_Console <offset MsgSpace> <LenSpace> ; " " Add esi, 8 ; VirSize mov eax, [ESI] call Hex2Dec Write_Console <offset MsgH2> <LenH2> add esi, 4 ; Object RVA mov EAX, [ESI] call Hex2Dec Write_Console <offset MsgH2> <LenH2> ; "h " add esi, 4 ; Physical Size mov eax, [ESI] call Hex2Dec Write_Console <offset MsgH2> <LenH2> ; "h " add esi, 4 ; PhysPos mov eax, [esi] call Hex2Dec Write_Console <offset MsgH2> <LenH2> ; "h " add esi, 16 ; Flags mov eax, [esi] call Hex2Dec Write_Console <offset MsgH2> <LenH2> ; "h",10,13 POPAD RET ObjectInfo ENDP Dump2Screen PROC ; Writes ECX bytes from ESI on console PushA PushF Push 0 ; lpvReserved Push offset cchWritten ; lpcchWritten Push ECX ; cchToWrite Push ESI ; lpvBuffer Push [ConHandle] ; hConsoleOutput Call WriteConsoleA ; i will let u think about it :) PopF PopA RET Dump2Screen ENDP ;------ Everything below here is append to the PE file :) AppendStart: PUSH EBP EDI ESI EDX ECX EBX ; No point in saving EAX / EAX = ; ENTRYPOINT ADDRESS - So we make ; sure it still is so! ; int 3h ; <<<<<<<<< Breakpoint for the almighty CALL next ; calculate delta offset! next: POP EBP MOV EDX, EBP ; Save EIP SUB EBP, offset next ; Calculate delta offset SUB EDX, [AppVirOff+EBP] ; Subtract the virtual offset SUB EDX, offset next- offset AppendStart ; Subtract the push in the start ; => EDX= reallocated IB ; Sometimes you're pretty clever, Stone :) MOV [AppImageBase+EBP],EDX ADD [AppIAT+ebp], EDX ; from RVA => VA ADD [AppEndIAT+ebp],EDX cmp [AppStatus+ebp],0 ; envoke decryption only if first time jnz ReturnToHost ; dll will envoke code on entrypoint mov [AppStatus+ebp],1 ; more than once - but always once ; when loaded! Lea esi, [AppNumObj+ebp] movzx esi, Byte ptr [esi] MOV EDI, EBP Nextobj: LEA EBX, [AppImageBase+EBP] ; Fetch Imagebase MOV EBX, [EBX] LEA EAX, [AppObjectRVA+EDI] ; fetch the RVA of the object MOV EAX, [EAX] ADD EBX, EAX ; Imagebase+RVA LEA ECX, [AppObjectSize+EDI] ; Fetch number of bytes to DECrypt MOV ECX, [ECX] DeCryptloop: ; DECrypt it cmp ebx, dword ptr [AppEndIAT+ebp] jg NotIAT cmp ebx, dword ptr [AppIAT+EBP] jl NotIAT jmp IAT NotIAT: SUB byte ptr [EBX],subvalue ; Wooohoo.. powerful encryption IAT: INC EBX LOOPD DeCryptloop ADD EDI, 8 ; Next Object! (8=1dword of RVA, 1dword of size) dec esi jnz Nextobj ReturnToHost: ;------- Return to Host MOV EAX, [AppEntryRVA+EBP] ; EAX = new entrypoint RVA MOV EBX, [AppImageBase+EBP] ; EBX = ImageBase ADD EAX, EBX ; EAX = New Entrypoint POP EBX ECX EDX ESI EDI EBP ; restore registers JMP EAX breakpoint: ;------- Appended data AppIAT dd 0 ; IAT starts here AppEndIAT dd 0 ; IAT ends here AppStatus db 0 ; decrypted already marker AppVirOff dd 0 ; Virtual offset (RVA) of Appended code AppEntryRVA dd 0 AppNumObj db 0 ; Number of objects to decrypt AppImageBase dd 0 ; ImageBase in appeded Code! AppObjectRVA dd 0 ; Encrypted Objects RVA AppObjectSize dd 0 ; Size of Object AppMoreObjects db 40 dup (0) ; 5 more encrypted objects ; should I add more space? ; or just let it use the next string? db "Encrypted by Stone/UCF - PowerLame PE-ExeEnCrypter! :) " db "2nd&mi" ; Personal tag - not used! AppendEnd: ;────────────────────────────────────────────────────────────────────────────── End Main